Amazon WorkLink is a fully managed service that provides your employees and contractors secure, one-click access to your internal websites and web apps using their mobile phones.

Easy setup and administration

Amazon WorkLink can be easily set up from your AWS Management Console. To get started, link your existing identity provider to Amazon WorkLink, and use that to configure access permissions for your employees. Next, add your web domains that will be accessed using WorkLink. To enable access to these added web domains, use your existing on-premises VPN hardware to create a point-to-point connection with your AWS Virtual Private Cloud (VPC) or simply use Direct Connect if you have it set up already. Once you have completed these steps, you can use the provided email template to invite employees to download the Amazon WorkLink app from their device app store, log in with their corporate credentials, and start accessing internal websites using Safari.

set up

Secure content isolation

Amazon WorkLink performs on-device DNS resolution to identify internal website and web app requests, and then loads this content in a secure container running in AWS. Amazon WorkLink processes all HTML, JavaScript, and CSS in AWS, and transforms it into vector graphics. It then delivers the content to employee phones as vector graphics, while preserving native interactions. As a result, internal web pages are never directly rendered on these devices, and content isn’t stored or downloaded to local browser caches. Amazon WorkLink also isolates browsing sessions by providing a dedicated pool of EC2 instances to each customer, and a dedicated container to each active user.

Split rendering

Amazon WorkLink identifies which elements of the requested page require user input, such as text boxes and drop-down lists. It mirrors those interactive elements of the webpage on mobile phones, so that user actions are processed locally. Amazon WorkLink displays the rest by rendering layers of vector graphics to represent each web page on mobile phones. By splitting the rendering of the webpage, Amazon WorkLink enables a smooth and natural user experience when scrolling, zooming, or providing user input.

Amazon WorkLink works seamlessly with websites and web apps that persist application state with browser cookies. Amazon WorkLink integrates with the AWS Key Management Service (KMS) to encrypt cookies in AWS containers before sending them to employee phones. The cookies cannot be decrypted on the employee phones, and are sent back to the AWS cloud to be decrypted when needed. This allows your employees to resume their browsing sessions and provides an uninterrupted, secure browsing experience.

SAML-based user management

Amazon WorkLink supports user authentication and federated sign-in using any SAML 2.0 compliant identity provider. You can use your SAML provider to authorize which groups of users from your directory should have access to Amazon WorkLink as well as set user permissions for your internal websites.

Microsoft Active Directory integration

Amazon WorkLink allows you to use your Microsoft Active Directory to manage user authentication. You can apply existing group policies to enable access to Amazon WorkLink as well as set user permissions for your internal websites. You can integrate with your Microsoft Active Directory in two ways – either by establishing a secure connection between your Microsoft Active Directory and your AWS Directory Service for Microsoft Active Directory (Enterprise Edition) domain controller, or by using the AWS Directory Service Active Directory Connector. You can link your AWS Directory Service with Amazon WorkLink via AWS Single Sign-On at no extra charge.

Granular access control

Amazon WorkLink lets you specify which of your internal websites and web apps should be available to your employees, contractors, and partners. You can whitelist the sites that you want to make accessible externally in the Amazon WorkLink console, and set permissions for your users through your existing identity provider including, SAML 2.0 and Active Directory. This lets you control the level of access users get, and makes it easier to protect your information.

Monitoring and analytics

Amazon WorkLink creates activity logs that allow you to track the total number of people accessing content through it, the content they accessed, and when they accessed that content. These logs are delivered to you via an Amazon Kinesis stream and you can store, process, and analyze these logs with familiar tools or data store of your choice. For example, you can stream these logs to Amazon S3 and use tools such as Splunk to analyze the information. Similarly, you can direct this data to Amazon Redshift via a Kinesis Data Firehose and use Amazon QuickSight to generate reports and dashboards.

The Amazon WorkLink mobile app performs on-device DNS resolution, and verifies users access to the WorkLink service. When an employee uses the browser on their phones to navigate to an internal site, the Amazon WorkLink app resolves the associated DNS request locally on the employee phone and routes the corporate web page request through AWS. Amazon WorkLink does not route any personal web page requests through AWS. DNS resolution for those requests are handled by the default DNS resolver on employee phones. The Amazon WorkLink app verifies employee access to WorkLink, and honors your existing SAML policies. The app prompts employees to re-login only when their SSO session expires, so that employees don't need to log in each time they want to access an internal website.

Managed service

Amazon WorkLink owns and manages the deployment, provisioning and scaling of the resources you need, and automatically keeps these resources up to date. Amazon WorkLink-managed resources dynamically connect with your Amazon Virtual Private Cloud (VPC) to access the internal websites you specify. You can leverage AWS Direct Connect installations to route traffic from AWS to company websites and deprecate the use of VPN gateway hardware and software on-premise. Alternatively, you can reuse existing VPN installations to setup a site-to-site VPN tunnel between AWS and the on-premise network. This allows you to reduce your on-premises management overhead since you no longer need to maintain complex client-to-site VPN gateways that need to be secured to allow direct access from employee phones.

Standard Product Icons (Features) Squid Ink
Learn about features

Learn more about Amazon WorkLink features.

Learn more 
Sign up for a free account
Sign up for a free account

Instantly get access to the AWS Free Tier. 

Sign up 
Standard Product Icons (Start Building) Squid Ink
Start building in the console

Get started building with Amazon WorkLink in the AWS Console.

Sign in